A Formal Model for Dynamically Adaptable 

Services 

Jorge Fox 

Abstract — The growing complexity of software systems as well as changing conditions in their operating environment demand systems 
that are more flexible, adaptive and dependable. The service-oriented computing paradigm is in widespread use to support such 
adaptive systems, and, in many domains, adaptations may occur dynamically and in real time. In addition, services from heterogeneous, 
possibly unknown sources may be used. This motivates a need to ensure the correct behaviour of the adapted systems, and its 
continuing compliance to time bounds and other QoS properties. The complexity of dynamic adaptation (DA) is significant, but currently 
not well understood or formally specified. This paper elaborates a well-founded model and theory of DA, introducing formalisms written 
using COWS. The model is evaluated for reliability and responsiveness properties with the model checker CMC. 

Index Terms — Service-Oriented Architectures, Dynamic Adaptation, Formal Methods. 
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1 Introduction 

Modern software Systems typically operate in dynamic 
environments and are required to deal with changing 
operational conditions, while remaining compliant with 
the contracted quality of service. The execution context 
of modern distributed systems environments is not static 
but fluctuates dynamically and to provide the expected 
functional service with the desired qualities, systems 
must be adaptable. Software service adaptation supports 
modification of existing services or inclusion of new 
ones, in response to inputs from the operating environ- 
ment. Inputs or triggers for adaptation include changes 
in the running environment and availability of new ser- 
vices. When adaptation occurs at runtime, quality of ser- 
vice requirements range from timeliness, user perceived 
performance, service response time, to preservation of 
data integrity, service performance within given time 
bounds and the resulting system must comply with the 
execution time established for the system as a whole. 
Each one of these requirements has to be addressed 
accordingly, for instance, preservation of data integrity 
requires a mechanism to verify that the integrity of 
the data is kept during and after the adaptation, while 
timeliness and performance related requirements can be 
addressed by maintaining the execution times within the 
desired time bounds. 

While the possibility of dynamic service deployment 
and evolution offers an exciting range of application 
development opportunities, it also poses a number of 
complex engineering challenges. These challenges in- 
clude detecting adaptation triggers, facilitating timely, 
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dynamic service composition, predicting the temporal 
behaviour of unforeseen service assemblies and pre- 
venting adverse feature interactions following dynamic 
service composition . Therefore, a dynamically adaptable 
service has to be able to identify triggers for adaptation, 
select and conduct an adaptation strategy, and preserve 
desired quality of service properties, while avoiding 
undesired behaviours during or after the adaptation. 

A promising approach to achieving the required prop- 
erties in DA services is the use of formal methods 
and techniques, which have been successfully applied 
for managing complexity and system development to 
ensure implementations of high quality verification 
and validation of the behaviour of adaptive programs 
and architecture engineering processes that validate 
a program against desired functional properties ||3] . 
However, most previous efforts to validate dynamically 
adaptable services against desired functional properties 
have been either limited to verifying conditions that 
are defined before runtime execution or impose high 
verification costs as each adaptation must be individ- 
ually modelled and verified, making these approaches 
extremely expensive. Consider that an adaptive program 
with N different behaviours potentially has N 2 distinct 
ways of adaptation. The result is that building DA 
services is either expensive or limited to predefined 
adaptation scenarios. Even more, these approaches focus 
their analysis on the resulting program neglecting the 
analysis of the adaptation mechanism itself, that is the 
adaptation manager (AM). We consider the adaptation 
mechanism to be of capital importance in the develop- 
ment of DA services, since it is responsible for monitor- 
ing compliance of the adaptation to desired properties 
and functionalities. 

Current approaches to DA propose various mecha- 
nisms for handling adaptation, such as: Generic Inter- 
ceptors [4j, DA with aspect-orientation 0, Dynamic 
Reconfiguration 0, Dynamic Linking of Components 
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JZl, and Model-Driven Development of DA Software |2"1 . 
However, none of these provides a formal framework 
to verify the adaptation mechanism against commonly- 
accepted service properties. Formal languages provide 
the underpinnings to explain and model software sys- 
tems in a precise manner, and are fundamental for 
the level of analysis, validation and proof required for 
assuring adaptation compliance to specifications. In this 
paper, we propose an abstract conceptual model of an 
AM and explore its operation in view of quality of ser- 
vice properties, such as availability and responsiveness. 

This article is organised as follows: Section [2] provides 
an overview of current DA approaches. In order to build 
a formal model of the problem, an underlying language 
that facilitates its description and depicts the desired 
functionality properties at the same abstraction level 
is required, Section [3] discusses the steps we followed 
to select this foundation and the model checking tools 
supported by the language. Section |4] introduces our 
formal model and discusses its properties. Availability 
and responsivenes are identified as desirable attributes 
of services 1 8 1 . In Section [5] we explore our model in 
view of these attributes, and elaborate some lessons 
learned and topics requiring more research. Section [6] 
discusses related work. Finally, Section [7] presents some 
conclusions. 

2 An Overview of Dynamic Adaptation 
Techniques 

Some existing techniques for DA provide mechanisms 
to incorporate adaptation elements at design time, such 
as the work of |9| or allow for reconfigurations at 
runtime. These techniques can be classified according 
to the extent or scope of the adaptations that are made 
possible, the degree to which the adaptation triggers 
have to be known in advance, and the tools that the 
particular framework offers to implement or program a 
dynamically adaptive software. We also find techniques 
that allow dynamic linking and unlinking components 
or services as in (7| and techniques that apply aspect- 
orientation to achieve DA as 0. Another group of 
techniques offer reconfiguration techniques that enable 
systems to adjust internal or global parameters to re- 
spond to changes in the environment as in IfTOl , or 
Generic Interceptors with Adaptive CORBA, which en- 
ables message interception to add additional behaviour 
for adaptation |4J. 

While these techniques offer an interesting range of 
options to achieve different degrees of DA, questions re- 
lated to adaptation trigger identification and soundness 
of a given adaptation model are still open. 

3 Formal Foundation 

3.1 The Service-oriented Language COWS 

In order to elaborate a model of dynamic adaptation, we 
explored a number of languages in |11 1. Current service- 



oriented formal languages like: PiDuce [12J, SOCK- 
/JOLIE El, COWS d, KLAIM El, and SCC JH 
offer each a different range of possibilities to model 
DA. Every one of these languages has an underlying 
process algebra and constructs that support defining 
services and expressing substitution and deactivation 
processes. The prime mechanism in PiDuce to model 
service substitution is through virtual machines, while in 
the case of COWS it is modelled by delimited receiving 
and killing activities handled with its process calculus, 
JOLIE and PiDuce offer no deactivation process. After 
reviewing these languages, we concluded that the best-fit 
language for modelling our runtime dynamic adaptation 
problem is COWS. Given the characteristics of the lan- 
guages selected, where only COWS provides constructs 
for timing analysis. Timeliness was not the only deciding 
criteria, considering only extent adaptation of services 
merely via channel renaming is sufficient to achieve DA 
is questionable, as is the case of PiDUce. In this regards 
the composition mechanisms of SOCK/ JOLIE are more 
adequate, yet again with no possibility to evaluate time- 
liness. Our choice is clear and well founded. For more 
on the language COWS the reader may refer to [14J. 

3.2 Model Checking Tools 

Model checking is an automatic technique for verifying 
finite-state reactive systems. Specifications are expressed 
in a propositional temporal logic, and the reactive system 
is modeled as a state-transition graph. An efficient search 
procedure is used to determine automatically if the 
specifications are satisfied by the state-transition graph 

El- 

Model checking llTBl as an automatic verification tech- 
nique covers a wide field of diverse, often ad hoc, and 
incomplete methods for showing correctness, or, more 
precisely, for finding bugs. Other verification techniques 
include theorem proving [19 1 and testing E01 . This tech- 
nique allows software developers to find subtle errors in 
the design of safety-critical systems that often elude con- 
ventional simulation and testing techniques in a proven 
cost-effective manner by systematically exploring the 
state space of concurrent or reactive systems. Further- 
more, model checking integrates well with conventional 
design methods. This is the reason why model checking 
is being adopted as a standard procedure for the quality 
assurance of reactive systems. This is done by comput- 
ing a system's state space from an abstract description 
specified in a modeling language. Several properties of 
a model of a system can then be checked by exploring 
this state space: deadlocks, dead code, violations of user- 
specified assertions, etc. The properties that state-space 
exploration techniques can verify has been substantially 
broadened thanks to the development of model-checking 
methods for various temporal logics. A number of model 
checkers are available, such as: SPIN Jill, SMV (221, 
UMC 1231, and CMC El, GJ3, as well as related analysis 
tools and languages such as the analyser Alloy |26J. 
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CMC works on unmodified C or C++ implementations 
and explores large state spaces efficiently by storing 
states. Like traditional model checkers, CMC achieves 
the equivalent of executing astronomical numbers of 
tests in reasonable time. In this work, we use the model 
checker CMC [27] for the above mentioned reasons and 
its seamless integration with the language COWS. 

4 A Model for Dynamic Adaptation 

A wide range of currently available approaches for 
services adaptation offer several techniques to achieve 
DA. However, at the same time most are static, and more 
importantly, the flexibility of adaptation or the degree at 
which adaptations are achieved, is in most cases limited. 
Also, in many existing DA frameworks adaptation is 
achieved by parametrisation or reconfiguration, which 
may render limited solutions with respect to flexibility 
and limit further adaptations. Another area of opportu- 
nity we identify is the need to obtain service adaptation 
while ensuring compliance with predefined properties. 
This is precisely the motivation behind this work. We 
introduce in this work a model for DA that has been vali- 
dated against desirable attributes of services and service- 
oriented computing applications Il28l . According to this, 
a service should be: available, reliable, and responsive. 

This section presents a two-step process for establish- 
ing our DA model. The five steps are listed as follows: 

1) A scenario explaining a dynamic adaptation prob- 
lem 

2) Design of the model in a formal language suitable 
for verification 

4.1 DA Scenario 

The scenario is based on a tollbooth system, that can be 
considered a distributed system. The flow of events is 
given below. In this scenario a car approaches a tollbooth 
and gets a welcoming signal from it. If the car 's payment 
protocol is not compatible to that of the tollbooth, then it 
receives a new protocol from the tollbooth. Afterwards, 
the car verifies the protocol and if needed adapts its 
electronic toll system to comply with the tollbooth's 
protocol. The scenario is illustrated in Figure [2] 

The ETS has access to an electronic money pocket 
that is adjusted to a given tollbooth protocol, when the 
protocol is available. Modifying the system to comply 
with a new ETS protocol, steps 6-a and 6-b, in the 
tollbooth scenario, have to be performed at runtime. 
The adaptation is executed by a service that substitutes 
the former one. DA is the solution for this real-time 
adaptation problem. 

4.2 Model of DA in COWS 

The scenario in Figure [T] indicates the need for a mech- 
anism to identify the adaptation trigger that initiates 
the adaptation process. We call it "Requestor", in our 
scenario it is represented by a welcoming signal and 
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Fig. 2. Scenario. Service adaptation procedure 



the request to confirm compatibility with the tollbooth. 
When the Requestor triggers an adaptation, this request 
has to be processed by another service, this service is 
the AM. The trigger for adaptation is processed and 
a decision on whether to proceed with an adaptation 
or not is taken also by the AM. Preservation of timeli- 
ness constraints has to be considered and incorporated 
in the AM, estimating the time to achieve adaptation 
and integrating this information with predefined upper- 
bound values. In case the adaptation can be realised 
within the specified time bounds, the AM may start a 
reconfiguration process. 

The model illustrates the control flow for the adapta- 
tion, starting with the requestor, then a service amcheck 
is called with the time estimations. The timeliness con- 
ditions are examined in amcheck (listing |5}, in case 
the adaptation can be fulfilled within the defined time 
bound, a second condition is evaluated (listing |6j, which 
verifies that the adaptation preserves the overall exe- 
cution time of the service. In case both conditions are 
uphold amadapt is called and the requestor receives 
the signal signal OK registering a successful adaptation 
(listing |4j. Our model focused on two timeliness con- 
ditions, adaptation time and execution time, however, 
other conditions that the system has to preserve can be 
analysed by the AM in the same manner. For instance, 
verifying that the service to be reconfigured is in a 
quiescent state before performing any changes in order 
to avoid interaction and coordination conflicts. 

5 Verifying Quality of Service Proper- 
ties on the Model 

Dynamic software architectures allow us to build dy- 
namically adaptable systems by supporting the modi- 
fication of a system's architecture at runtime. Possible 
modifications include structural adaptations that change 
the system configuration graph, for example, the creation 
of new and the deletion of existing components and 
connectors, as well as functional adaptations where com- 
ponents are replaced. Further, even more challenging 
changes are those that modify the behaviour of compo- 
nents and ultimately services. 

In order to achieve reliable dynamic adaptable services 
we need to evaluate service modifications against a num- 
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Fig. 1. Activity Diagram. Adaptation Process 



ber of quality of service properties. Services must comply 
as a minimum with the following three properties. The 
first one, Responsiveness, means that the service always 
guarantees an answer to every received service request, 
unless the user cancels. The second property, Availability, 
requires that the service is always capable to accept a 
request. Finally, the third property, Reliability means that 
the service request can always succeed. 

In order to evaluate a system against these properties, 
we first have to formulate them in a language capable of 
being analysed, preferably in an automated manner. In 
the following we introduce our representation of these 
properties in COWS-CMC. Afterwards, we explore the 
model at the hand of these properties with the model 
checker CMC evaluating its compliance to the properties 
and show a run of the model checker in Appendix [B] 

In order to explore the first property, Responsiveness, 
we define a formula with a universal quantifier on the 
response arncheck following a call to the AM specified as 
an existential quantifier to the AM, as shown in Listing [T 



A run of the model checker can be found in Figure 3(a) 



Responsiveness 

AG[ request (adaptManager) ] true 
EG[ accepting_request (adaptManager) 
true 



AF[ response (arncheck) ] 



Listing 1 . Responsiveness 

Availability can be easily represented by a universal 
quantifier on calls to the AM as illustrated in Listing [2] 



Availability 

AG[ request (adaptManager) ] true 



A run of CMC to check Availability can be found in 
Figure 3(b) 



Reliability 

EG[ request ( requestor ) ] EG[ response (launchOK) ] EG[response( 
launchFail)]true 



Listing 3. Reliability 

An examination of the model with the model-checker 
CMC confirms that it complies with the third property, 
Reliability, formulated in Listing [3] See Figure 3(a) 



of the model checker can be found in Figure 3(c) 



A run 



Listing 2. Availability 



6 Related Work 

We introduce related work in two groups. First, those 
approaches specifically related to DA, second, formal 
approaches that are applied to analyse similar families 
of problems as the ones presented here. 

Dynamic Adaptation 
We find an overview of DA and its constituents in 
the work of Mckinley et al. 1291 , 11301 , however they 
do not advance a formal model or proposal to explore 
DA, which is the aims of our work. Similarly to the 
elements of DA we identified, Segarra and Andre de- 
scribe a similar model to ours with components that can 
be customized for different applications, a component 
in their framework can be provided with a controller 
which performs the adaptation depending on execution 
conditions I31J . In our proposal we define one controller, 
the adaptation manager, that gathers information from 
supporting services such as timing and execution evalua- 
tion in order to perform adaptations. Work has also been 
carried out to map BPEL to Process Algebras as Ferrara 



[32|, to Pi-calculus as Abouzaid J33l, and to Petri Nets 
as Ouyang et al. l34l . 

Formal approaches to DA 
The work of Laneve and Zavattaro 1 35 1 on web services 
advances an extension to the 7r-calculus with a transac- 
tion construct, the calculus web7r. This model supports 
time and asynchrony. However it remains at a more 
abstract level and is not applied to dynamic adaptation. 
Ferrara |32| relies on process algebra to design and verify 
web services, this work also allows to verify temporal 
logic properties as well as behavioural equivalence be- 
tween services. Compared to this work, our attempt is 
more general and is directed at the study of dynamic 
adaptation. Finally our proposal is aimed at identifying a 
formal service-oriented language for modelling dynamic 
adaptation, rather than advancing techniques for formal 
verification of web services or services as in the work 
of Ferrara. Mori and Kita |36J explore the use of genetic 
algorithms to dynamic environments and offer a survey 
on problems of adaptation to dynamic environments. 
The work of ter Beek at al. [37 1 reviews service compo- 
sition approaches with respect to a selection of service 
composition characteristics and helps to underscore the 
value of formal methods for service analysis at design, 
specially service composition. The authors present a 
valuable analysis of formal approaches to service compo- 
sition and elaborate a useful comparison. We mentioned 
the need to provide mechanisms to assure consistency 
of the system during and after an adaptation, this has 
been further explored by Amano and Watanabe |38|, 
at this stage, we do not aim at discussing consistency. 
Nevertheless by relying on a formal language we will 
be able to support consistency checks. 

7 Conclusion 

Real time DA is an area of research that poses new chal- 
lenges to software development, considering software 
that may adapt to changing conditions in the operational 
environment, where new services may be added as they 
become available, or cope with reconfiguration issues, 
all this at runtime and under time constraints. DA has 
been proposed to provide solutions to these challenges. 
Proposing a methodology for the study of DA is still 
an open question. Formal methods have been in use 
for a long time in the computer science community and 
a number of new approaches and formal languages is 
available. Modelling DA with a formal language can 
provide precise answers to most of the existing questions 
and grant a better understanding of DA. In this work, 
we explored the use of the formal language COWS 
to model DA and try our model against three widely 
accepted service properties: Responsiveness, Availability 
and Reliability, with the model checker CMC, which 
integrates seamlessly with COWS. 
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Appendix A 

Adaptation Manager Model in COWS. 
Listings 

To provide some details of the adaptation model, we 
introduce here their listings. 



let 

adaptManager ( service ) - 
* [X][Y][Z][XX][YY] 

service . create?<X, Y,Z,XX>.p . adaptime!<X,Y,Z,XX> 

| [X][Y][Z][XX] 

ser . checkOK?<X,Y,Z,XX>.q. exectime!<Z,XX> 

| ser . checkFail?<>. ser . launchFail!<repsvc> 

| ser . checkFail2?<>. ser . launchFail!<repsvc> 
requestor () = 

serv.create!<0,4,10,60> 

| ser . checkOK2?<>.amadapt . launchOK!<> | 
( amadapt . launchOK?<>.s . signalOK!<> 
+ ser . launchFail?<repsvc >.s . signalFail!<> 
+ ser.launchFailx?o.s. signalFail!<>) 

in 

adaptManager ( serv ) 
requestor ( ) 
* amcheck ( ) 
amcheck2 ( ) 
s. signalFail?<>.nil 
s . signalOK?<>.nil 
end 



Listing 4 

Adaptation Manager, Requestor and Main Service 



amcheck2 () = 
[X][Y] 

q. exectime?<X, Y>. 

[i#J 

[K] 

( i . selectgreater !<X gt Y> | 
(i.selectgreater?<true>. 
Amcheck_gt_deadline2 (X) - 
i . selectgreater?<false >. 
Amcheck_le_deadline2 (X) 

) 

) 



Listing 6 
Execution-time check 



Appendix B 

Verification of Properties with CMC 

The runs of the model checker CMC on the conditions 
specified in Section [5] follows. 



c ? EG [request (anchec JO ] RG IrespDnsetselectgre 
c> - Starting Evaluation with LIS Bound set to 
he Fornu la : "EG I request Unc lice k> ] HG I res puns e 
s: TKUE 

(states generated 3 9, confutations F; 
c > why 

he f ornu la : 

EG [ request (anchecJO ] RG I respi 

is FOUND_TKUE in State CI 
because 

Ci —> CZ(create(0,4,10,&0» /■ : 



Ci — > CZ(create(0,4,10,&0» /■ s evv . c i-eat e* < 0, -J, 10, 

CZ —> C3{adaptine(0.4.10.fc0» /h p . adapt ime! <0, 4, H 

C3 — > CK3electgreater<Fal5e» ifll 8 . B elec t greater 1 
ter?<false> *s 
C4 — > C5<thec>;C'K<0.1.10.b0» ser.checM)K!<0. "J, il 
IV. Z, XX > */ 

C5 —> C&(e*ectiF»e<10.&0» /" q . exec t irce! < 1 0. fc0>.q.e; 
C6 — > C7{3electgreater<False» i828 . b elec t greater' 
later?<false> */ 

C7 — > CB{cJiecfcOK2> ^* s er . c hec M)K2! . s er . c hec M)K2? *^ 
and the f ornu In ' 

I request (ancJiecJO ] ftG I res pons e< s elec t great er> J trui 
is FOUND TRUE i„ Kt,,te CB 



e(0.1.10.b0» p.adaptirce!<0. 1, 



(a) Reliability Check with CMC 



Amcheck_gt_deadline (X) = 

(ser . checkFail!<>) 
Amcheck_le_deadline(X,Y,Z,XX) = 

( ser . checkOKKX, Y,Z,XX» 
Amcheck_gt_deadline2 (X) = 
( ser . checkFail2!<>) 
| memory . assert ?<X> .nil 
Amcheck_le_deadline2 (X) = 
(ser .checkOK2!<>) 
amcheck ( ) - 

[X][Y][Z][XX] 

p.adaptime?<X,Y,Z,XX>. 

[i#J 

( i . selectgreaterKX gt Y> | 
(i. selectgreater ?<true>. 
Amcheck_gt_deadline (X) + 
i . selectgreater?<false >. 
Amcheck_le_deadline (X, Y,Z,XX) 

) 

) 



Listing 5 
Adaptation-time check 



I C;\windo'.vi\: > ;: e - 1 I2\cn-'d.eKe - cmc07q-Windows32-*S6.e: 



c> fiC[request<adaptManager>:itrue 
— Starting Evaluation with LTS Bound set to S 
mc> The Formula: "ftG [request<adaptManager> ] true" 
is: TRUE 

i. states generated= 10, computations f ragmen ts generated= 37> 
mc> ftG [request <adaptManager> Jtrue 

ic> — Starting Evaluation with LTS Bound set to 8 
he Formula : "ftG [request <adapt Manager > ] true " 
is: TRUE 

i. states generated= 10, computations f ragmen ts generated= 37> 
mc> AG [request <adaptHanager> Jtrue 

ic> — Starting Evaluation with LTS Bound set to 8 
he Formula: "ftG [request<adaptManager> ] true" 
is: TRUE 

tstates generated= 10, computations fragments generated= 37> 



(b) Availability Check with CMC 




(c) Responsiveness Check with CMC 

Fig. 3. CMC Runs 
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